Time Bank Data Breach Compromises Sensitive Customer Data of 3,953

On Aug. 14, 2025, Time Bank, a U.S.-based community bank, was impacted by a data breach that originated with one of its service providers, Marquis Software Solutions Inc. The cybersecurity breach compromised personally identifiable information (PII) of at least 3,944 Time Bank customers across the U.S.

According to official notices, Marquis, a marketing and communications vendor, detected suspicious activity on its network and determined it was the victim of a ransomware attack. So far, the breach has impacted at least 3,942 residents in Iowa, nine in Washington, and two in Maine.

Compromised information included names, addresses, phone numbers, Social Security numbers, Taxpayer Identification Numbers, financial account information (without security or access codes), and dates of birth. This is all considered personally identifiable information (PII); no protected health information (PHI) was involved.

Beginning on Nov. 26, 2025, the Marquis data breach was disclosed to the Attorney General's offices in Iowa, Maine, and Washington. The breach is considered serious due to the sensitive nature of the data exposed and the use of ransomware, a method where attackers encrypt data and demand payment for its return.

Time Bank's response

In response to the incident, Marquis immediately launched an investigation with the help of cybersecurity experts and notified federal law enforcement. The company reviewed the affected files to identify impacted individuals and is coordinating with Time Bank and other business clients to notify affected customers.

As a precaution, Marquis is offering complimentary credit monitoring and identity theft protection services to those affected. Impacted individuals are being provided with instructions to enroll in Epiq Privacy Solutions ID, which includes credit monitoring, dark web monitoring, credit protection, change of address monitoring, and identity restoration services.

Customers are encouraged to remain vigilant by monitoring their account statements and credit reports for any unauthorized activity over the next 12 to 24 months.

Given the nature of the breach, it is recommended that affected individuals consider placing a security freeze or fraud alert on their credit reports. The notification letters include detailed instructions on how to do this and provide contact information for major credit bureaus and the Federal Trade Commission.